The Financial Services Authority (FSA) has fined the UK branch of Zurich Insurance for failing to have the adequate systems in place to prevent the loss of 46,000 UK customers’ personal details.
The £2.275 million fine is the highest fine that the FSA has imposed on a single firm for data security failings.
Zurich UK’s systems and controls failings surfaced when the company lost customers’ confidential details that could have led to “serious financial detriment for customers” and even exposed them to the risk of burglary. Alongside the UK customers' data that was lost, data on the company's entire South Africa customer base of 550,000 clients was lost, but this is not covered in the FSA ruling.
The lost details included identity details, bank account and credit card information, details about insured assets and security arrangements.
As well as failing to ensure it had effective systems and controls in place to manage the risks related to the security of customer data as part of the outsourcing arrangement, the FSA said that Zurich UK did not have the effective systems and controls in place to prevent the lost data being used for financial crime. The breach period was between 1 August 2007 to 14 August 2009.
However, the FSA said: “Zurich UK has seen no evidence to suggest that the personal data was compromised or misused.”
Zurich UK outsourced the processing of some of its general insurance customer data to its South African branch, Zurich Insurance Company South Africa Limited (Zurich SA). In August 2008, the South African branch lost an unencrypted back-up tape during a routine transfer to a data storage centre.
Zurich UK is believed to not have learned about the loss until after an internal audit a year later, due to the lack of proper reporting lines in place.
In addition to the personal details of 46,000 customers, the FSA said that deficiencies in the management of security procedures involving data tapes in South Africa potentially also affected a further 5,000 UK customers whose personal data was not on the lost tape, but was otherwise held in South Africa.
Margaret Cole, the FSA’s director of enforcement and financial crime, said: “Zurich UK let its customers down badly. It failed to oversee the outsourcing arrangement effectively and did not have full control over the data being processed by Zurich SA.”
Zurich UK avoided an original £3.25 million fine from the FSA by settling at an early stage of the investigation to qualify for a 30 percent discount.
Chris McIntosh, CEO of the Stonewood Group said, “Zurich's £2.28 million fine is the largest we've seen for a single loss and should act as a wake up call. If organisations are moving sensitive data around it has to be encrypted.”
He added, “The FSA has made clear the issue with this incident is not just the loss itself. It is the tardiness with which it was eventually reported. Waiting a year, as Zurich's sister company did on this occasion, is quite frankly beyond unacceptable."